Chrome 72 released with 58 security fixes, outdated TLS 1.0 and 1.1

Google released Chrome 72 for a stable desktop channel, which makes it available for download by everyone. In this version, support for TLS 1.0 and TLS 1.1 and securing of HTTP-based public keys has been removed, and the resource from FTP servers will no longer be displayed.

Chrome 72 will also no longer allow pop-ups when the page is unloaded, as the built-in pop-up blocker has already done, but now they will be blocked by default regardless of whether the pop-up blocker is on.

Windows, Mac and Linux desktop users can upgrade to Chrome 72.0.3626.81 by going to settings -> Help -> About Google Chrome and the browser will automatically check for a new update and install it if and when it is available.

Google Chrome 72

TLS 1.0 and 1.1 is deprecated

Although support for TLS 1.0 and 1.1 was deprecated only in the current version of Chrome, it will be completely removed in early 2020 with the release of Chrome 81.

According to Google, “during the period of obsolescence, sites using these protocols will display a warning in DevTools. After a period of obsolescence in 2020, they will not be able to connect if they are not updated to TLS 1.2 by that time. ”

The discontinuation and possible deletion of TLS 1.0 and 1.1 secure communications protocols was announced in October 2018 as part of the coordinated announcement of Google, Microsoft, Apple and Mozilla.

Google also decided not to support the HTTP-based public key locking feature (HPKP), which was designed to “allow websites to send an HTTP header that secures one or more public keys that are present in the site’s certificate chain.”

However, due to the low implementation rates and the fact that it causes denial of service and the risks of hostile pinning, HPKP is no longer present in both desktop and mobile versions after its initial obsolescence in Chrome 65.

Blocks third-party applications from code injection

After removing the FTP resource map in Chrome 72, the web browser will continue to create FTP directory lists, but non-directory listings will no longer load in the browser.

Starting with this stable release, Google’s web browser has an internal page designed to allow users to see all interim warnings or notifications that can be displayed when browsing the web with Chrome.

Chrome now also blocks third-party applications from injecting code into the browser. The biggest impact on this change is provided by antivirus and other security programs that often use code injection into the user's local browser process to intercept and scan for malware, phishing pages, and various other threats.

With this feature you can see a list of incompatible applications by typing Chrome: // Settings / incompatibleApplications in the Chrome address bar, which will display a list of all detected programs and offer to remove them.

Warning about problematic applications in Chrome

Critical and serious security issues fixed

The Chrome 72 update also includes 58 security fixes, with one critical security fix that corrects the “inappropriate implementation on the QUIC network” and 17 high-level security fixes provided by third-party researchers.

The remaining security fixes added in Chrome 72 were found and implemented by internal audits that were processed using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, control flow integrity, libFuzzer or AFL and other initiatives.

A full list of all the changes in this release is available in the Chrome 72 changelog, and more information about the development features can be found on the Google Chrome developer platform.